<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3562" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=314001618-21072009><FONT face=Arial
color=#0000ff size=2>I think you're missing part of the picture. Apache
writes its messages to private log files and what you are trying to do (though
I'm not sure you know that) is feed the live content of those files into the
syslog-ng logging system in real time. Once you get that feed into
syslog-ng working then yes forwarding syslog-ng messages to a remote
location is fairly straightforward and people will be able to give you lots of
example of how to do that. But you need to get step one working
first.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=314001618-21072009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=314001618-21072009><FONT face=Arial
color=#0000ff size=2>So I think you need to adopt a three phase approach. First
get your Apache logs feeding into syslog-ng on the local nodes and thereby
appearing in /var/log/messages. Once you have that working, figure how to filter
them out from the rest of the syslog traffic and send them to local
files written by syslog-ng. Third figure out how to send them to a remote
server.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=314001618-21072009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=314001618-21072009><FONT face=Arial
color=#0000ff size=2>Those are my thoughts anyway, your mileage may
vary.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=314001618-21072009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=314001618-21072009><FONT face=Arial
color=#0000ff size=2>Joe.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] <B>On Behalf Of </B>lance
raymond<BR><B>Sent:</B> 21 July 2009 16:33<BR><B>To:</B> Syslog-ng users' and
developers' mailing list<BR><B>Subject:</B> Re: [syslog-ng] Before the basic 101
questions<BR></FONT><BR></DIV>
<DIV></DIV>Not sure on that last post. Each webserver's vhosts name the
logs in the following manner (ws =
webserver);<BR>ws1.sitename.com-access<BR>ws1.sitename,com-error<BR>ws1.othersite.com-access
... and so on. <BR><BR>So I simply want to send every file (rather than
logging local) to goto the central. When I look at the central, I will
have only log folder
with;<BR>ws1.sitename.com-access<BR>ws2.sitename.com-access ... and so
on<BR><BR>The post above noticed I was doing a folder (/var/log/apache2) where I
don't know if you can say for the source /var/log/apache2/* or
something.<BR><BR>I am also puzzled as this to me is a real basic thing.
Take ALL apache logs and send to remote box. No-one has come and said,
here is my config and it works fine. Just something that I can look at an
entire server and client to see how it's done (which is why I posted
mine).<BR><BR>Really thought this was an easy thing. Even using
webmin. There is no clear cut, a server is setup like this, remote client
like that. Fustrating is not even the start of how to describe this, but
thanks for all replies so far.<BR><BR>
<DIV class=gmail_quote>On Tue, Jul 21, 2009 at 3:44 AM, Siem Korteweg <SPAN
dir=ltr><<A
href="mailto:Siem.Korteweg@qnh.nl">Siem.Korteweg@qnh.nl</A>></SPAN>
wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">Lance,<BR><BR>Depending
on how you want to process the collected logfiles, you can also<BR>configure
Apache:<BR><BR>ErrorLog syslog:local1<BR>CustomLog "|/usr/bin/logger -t apache
-i -p local6.notice" combined<BR><BR>This can be done global (for all virtual
hosts) or per virtual host. How to<BR>add the name of the virtual host to the
messages in the access logs can be<BR>found here: <A
href="http://httpd.apache.org/docs/2.0/logs.html"
target=_blank>http://httpd.apache.org/docs/2.0/logs.html</A><BR><BR>All that
remains to be done is to forward syslog from the client with the<BR>webservers
to the syslog-ng server.<BR><BR>regards,<BR><BR>Siem
Korteweg<BR><BR>-----Oorspronkelijk bericht-----<BR>Van: <A
href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</A>
namens lance raymond<BR>Verzonden: di 21-7-2009 4:07<BR>Aan: Syslog-ng users'
and developers' mailing list<BR>Onderwerp: Re: [syslog-ng] Before the basic
101 questions<BR>
<DIV>
<DIV></DIV>
<DIV class=h5><BR>Joe, thanks for the update. Yes, that is the
directory name. Now<BR>regarding the "file", I will start a little more
reading, but I don't think<BR>I would have to do this for each file right?
This server (along with the<BR>others in the cluster) have 12 or so
virtual sites, each with it's own<BR>access and error log, so that would be at
least 24 'file' sources. Is there<BR>a way to wildcard it?<BR><BR>Also,
(I know this too is a basic Q) but are these defined on the<BR>server/client
or both? I still don't see how they mesh, but soon, oh soon<BR>when that
light comes on!<BR><BR>Thanks<BR><BR>On Mon, Jul 20, 2009 at 8:38 PM, Fegan,
Joe <<A href="mailto:Joe.Fegan@hp.com">Joe.Fegan@hp.com</A>>
wrote:<BR><BR>> I'm no apache expert, but I think /var/log/apache2 is
the name of a<BR>> directory that contains apache log files, right? But you
have defined it as<BR>> a unix-stream source:<BR>><BR>> source inputs
{ internal();<BR>>
unix-stream("/var/log/apache2");<BR>>
udp();<BR>>
tcp(max_connections(100)); };<BR>><BR>> unix-stream is for
reading a socket, not a directory, so this can't work...<BR>><BR>> You
can use "file" sources for individual files in that
directory..<BR>><BR>> ------------------------------<BR>>
*From:* <A
href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</A>
[mailto:<BR>> <A
href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</A>]
*On Behalf Of *lance raymond<BR>> *Sent:* 20 July 2009 21:52<BR>> *To:*
Syslog-ng users' and developers' mailing list<BR>> *Subject:* Re:
[syslog-ng] Before the basic 101 questions<BR>><BR>> ok, here is the
update. I have built a standalone ubuntu box to be the<BR>> central server
so now have that I can 'play' with. It's a clean<BR>install,and<BR>>
really not sure what to do as this list seems to be the best resource.
So,<BR>> I would think you can specify 'a' logfile, but I need ALL
the apache logs<BR>> centrally located, so going to say, take everything
from /var/log/apache2<BR>> and send it to the central log
server.<BR>><BR>> The central log server as I said is a default setup,
due to size, I copied<BR>> them up to a play webserver, the server can be
seen here;<BR></DIV></DIV>> server.conf <<A
href="http://www.darkerforce.com/server.conf"
target=_blank>http://www.darkerforce.com/server.conf</A>><BR>
<DIV class=im>> and the client here (the only thing changed is the remote
IP)<BR></DIV>> client.conf <<A
href="http://www.darkerforce.com/client.conf"
target=_blank>http://www.darkerforce.com/client.conf</A>><BR>
<DIV>
<DIV></DIV>
<DIV class=h5>><BR>> When left like that and syslog-ng is started on the
client I get the<BR>> following;<BR>><BR>> Error binding socket;
addr='AF_UNIX(/var/log/apache2)', error='Address<BR>> already in use
(98)'<BR>> Error initializing source driver;
source='inputs'<BR>><BR>> As I said before, I am not looking for
anything complex, etc. Just want<BR>> ALL the weblogs to goto one box
which is really the function of syslog-ng.<BR>> I am sure there is one or
two things that need a tweak, and I can go from<BR>> there.<BR>><BR>>
Thanks.<BR>><BR>><BR>> On Wed, Jul 15, 2009 at 3:45 AM, Sandor Geller
<<BR>> <A
href="mailto:Sandor.Geller@morganstanley.com">Sandor.Geller@morganstanley.com</A>>
wrote:<BR>><BR>>> Hi,<BR>>><BR>>> On Tue, Jul 14, 2009 at
10:06 PM, lance raymond<<A
href="mailto:lance.raymond@gmail.com">lance.raymond@gmail.com</A>><BR>>>
wrote:<BR>>> > What I thought of was to make each file
unique;<BR>>> > ws = webserver;<BR>>> ><BR>>> >
ws1.domain.com-access_log<BR>>> >
ws2.domain.com-access_log<BR>>> ><BR>>> > and just write
them each to an nfs share.<BR>>><BR>>> It'd not the name of the
files which matter. When a single process<BR>>> (like syslog-ng) writes
to a file then NFS behaves well. The problems<BR>>> start when there are
multiple processes trying to access the same<BR>>> file. Disabling
attribute caching in the NFS client could help, but<BR>>> this could
have a big impact on performance.<BR>>><BR>>> > Not flaming the
group at all, actually Bazsi your name shows up more<BR>>>
than<BR>>> > any of my normal mail :) But, I have tried twice
with a reply or two,<BR>>> and<BR>>> > once conf files were
sent up and/or shown the thread died. I see some<BR>>>
very<BR>>> > intersting questions, answers on the group and it would
be nice to see<BR>>> some<BR>>> > of these things, but really,
I am talking about a handful of webservers<BR>>> > (nothing fancy)
just to write to a central log and it's not working.<BR>>>
The<BR>>> > basic syslog @server worked perfect, since the platform
updates, just<BR>>> not<BR>>> > working, but I appreciate the
reply.<BR>>><BR>>> So could you please tell what is the actual
problem?<BR>>><BR>>> Regards,<BR>>><BR>>>
Sandor<BR>>><BR>>><BR>_____________________________________________________________________________<BR>_<BR>>>
Member info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>>>
Documentation:<BR>>> <A
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>>>
FAQ: <A href="http://www.campin.net/syslog-ng/faq.html"
target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR>>><BR>>><BR>><BR>><BR>><BR>_____________________________________________________________________________<BR>_<BR>>
Member info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>>
Documentation:<BR>> <A
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>>
FAQ: <A href="http://www.campin.net/syslog-ng/faq.html"
target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR>><BR>><BR>><BR><BR></DIV></DIV><BR>______________________________________________________________________________<BR>Member
info: <A href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>Documentation:
<A href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target=_blank>http://www.balabit.com/support/documentation/?product=syslog-ng</A><BR>FAQ:
<A href="http://www.campin.net/syslog-ng/faq.html"
target=_blank>http://www.campin.net/syslog-ng/faq.html</A><BR><BR><BR></BLOCKQUOTE></DIV><BR></BODY></HTML>